How to Set Up a Free (Secure!) Web Server at Home

Behind Your Cable Modem and Get Away With It

by Khoder bin Hakkin

Many readers have a cable modem (or DSL) connection with a de facto (though not contractually guaranteed) static IP address.

They might like to run a web server, but their service contract prohibits "servers" and some ISPs apparently scan for this or, as in my case, block incoming TCP port 80.

This article describes how I set up a web server on a Windoze machine in such circumstances.  I also set up a secure (SSL) site on the same machine, providing visitors with confidentiality.  And I run CGI scripts, which handle passwords, providing authentication of my visitors.

All this for free, on a clunker (200 MHz / 32 MB RAM) Windows NT machine, one of several PCs behind a cable/DSL "router" in my home LAN.  (Note:  NT isn't necessary; all this applies to Windows 95 and later, too.  In fact, given that NT requires twice the memory this clunker PC has, and that everything is done with free tools, the whole project is a kind of performance art piece about technological minimalism.)

I use this to put hundreds of megabytes of JPEGs, MPEGs, and streaming toddler videos on my kid's web site.  It only gets family traffic and doesn't get indexed by search engines.  Trying from a remote high-speed site (work), I've measured the full 256 kbit/sec nominal cable modem upload speed on my little clandestine server.

Skills Used:  HTML, software installation, batch files, programming for CGI, config your firewall, find your IP.

Equipment Required: Any Wintel PC, fixed-IP address (cable or DSL) ISP, firewall optional.

The Problem:  Port 80 is blocked.  The default Microsoft server doesn't have configurable ports.  The clunker machine has too little memory.  Also have to figure out how to tell my cable/DSL router/firewall to admit connections.

Solution:  You can use any web server.  I found a lightweight, free web server called TinyWeb at www.ritlabs.com/tinyweb.  With source.  It runs automatically from a little batch script which is started when I log in.  I tell it to use port 81.  Any port number will do.  With TinyWeb you must have an index.html page, directory browsing is not allowed.

Test by browsing http://127.0.0.1:81 on the local machine.

NAT

All the machines behind my cable router have a private, static 192.168.1.x IP address, and the cable router multiplexes these into the address (DHCP-assigned, but again, de facto static) assigned to me by my ISP, from one of its net address blocks.

By default, my router does not allow incoming connections.  Go into its configuration and map port 81 to the private (LAN) static address of your host machine.

Test by browsing to http://12.34.56.78:81 from any other machine, getting a friend to try it, or going through a proxy.  12.34.56.78 is replaced by your static/dynamic IP.

SSL

The same web site provides a TinySSL server which handles SSL.

It also provides tools to create the server-side certificate yourself.  (Security aside: here you are certifying yourself as yourself, which is useless.  When a commercial site pays money to Verisign or some other third-party, why/how should the customer trust that third-party?  You can't sue them.)

Make sure to run TinySSL on a different port than your regular web server if you run both!  And remember to tell the firewall to allow incoming connections on the port you use, as above.

Test by visiting: https://12.34.56.78:82

Note https, not http and the different port number (82).  You'll see your own certificate's info too.

CGI

TinyWeb supports CGI, so you can write programs or scripts to compare accounts and/or passwords, and conditionally serve pages.

Redirecting

So now you've got a site on the net with a URL like: http://12.34.56.78:81

You can give it a more mnemonic name, for free, by using a page on a free, public site that HTML-redirects the visitor (with no delay) to your site.  A search engine could conceivably find its way to your site that way.

Politics

A cable company is a state-licensed monopoly.  And the cable infrastructure remains closed to third-party ISPs, not open to competition like the telco's copper (for DSL), so you haven't a choice of providers.

If IP service were open to competition then a provider would, as a truly private company, have the right to deny service arbitrarily.  But a state-enforced monopoly can't.

For the state (essentially) to regulate how your bandwidth is used is unconstitutional.  (To say nothing of the monopoly's end-user service contracts that give them the right to cut you off because of your content!)  You pay for routing services and a certain upload/download speed, you have a right to use them.

The final irony is that the P2P programs which motivate a lot of broadband subscriptions are both clients and servers.